Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
* Backport upstream patches to fix CVE-2017-11109 (Closes: #867720) + 8.0.0703: Illegal memory access with empty :doau command + 8.0.0706: Crash when cancelling the cmdline window in Ex mode + 8.0.0707: Freeing wrong memory when manipulating buffers in autocommands -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.12.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diffstat for vim-8.0.0197 vim-8.0.0197 changelog | 9 + patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch | 2 patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch | 2 patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch | 2 patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch | 6 patches/series | 3 patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch | 4 patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch | 6 patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch | 2 patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch | 69 ++++++++++ patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch | 42 ++++++ patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch | 40 +++++ 12 files changed, 175 insertions(+), 12 deletions(-) diff -Nru vim-8.0.0197/debian/changelog vim-8.0.0197/debian/changelog --- vim-8.0.0197/debian/changelog 2017-04-23 08:10:29.000000000 -0400 +++ vim-8.0.0197/debian/changelog 2017-09-30 14:21:38.000000000 -0400 @@ -1,3 +1,12 @@ +vim (2:8.0.0197-4+deb9u1) stretch; urgency=medium + + * Backport upstream patches to fix CVE-2017-11109 (Closes: #867720) + + 8.0.0703: Illegal memory access with empty :doau command + + 8.0.0706: Crash when cancelling the cmdline window in Ex mode + + 8.0.0707: Freeing wrong memory when manipulating buffers in autocommands + + -- James McCoy <james...@debian.org> Sat, 30 Sep 2017 14:21:38 -0400 + vim (2:8.0.0197-4) unstable; urgency=medium * Backport upstream patch v8.0.0550 to fix a regression in tag lookups for diff -Nru vim-8.0.0197/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch vim-8.0.0197/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch --- vim-8.0.0197/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch 2017-04-23 08:10:29.000000000 -0400 +++ vim-8.0.0197/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch 2017-09-30 14:21:38.000000000 -0400 @@ -13,7 +13,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/runtime/filetype.vim b/runtime/filetype.vim -index 9c9c808b4..13e2c0479 100644 +index 9c9c808..13e2c04 100644 --- a/runtime/filetype.vim +++ b/runtime/filetype.vim @@ -2227,7 +2227,7 @@ func! s:FTtex() diff -Nru vim-8.0.0197/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch vim-8.0.0197/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch --- vim-8.0.0197/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch 2017-04-23 08:10:29.000000000 -0400 +++ vim-8.0.0197/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch 2017-09-30 14:21:38.000000000 -0400 @@ -8,7 +8,7 @@ 1 file changed, 8 insertions(+) diff --git a/runtime/scripts.vim b/runtime/scripts.vim -index 276382808..d3101c6b7 100644 +index 2763828..d3101c6 100644 --- a/runtime/scripts.vim +++ b/runtime/scripts.vim @@ -332,6 +332,14 @@ else diff -Nru vim-8.0.0197/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch vim-8.0.0197/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch --- vim-8.0.0197/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch 2017-04-23 08:10:29.000000000 -0400 +++ vim-8.0.0197/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch 2017-09-30 14:21:38.000000000 -0400 @@ -15,7 +15,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt -index 88dca60b7..2520cc3d6 100644 +index 88dca60..2520cc3 100644 --- a/runtime/doc/options.txt +++ b/runtime/doc/options.txt @@ -5126,7 +5126,7 @@ A jump table for the options with a short description can be found at |Q_op|. diff -Nru vim-8.0.0197/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch vim-8.0.0197/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch --- vim-8.0.0197/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch 2017-04-23 08:10:29.000000000 -0400 +++ vim-8.0.0197/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch 2017-09-30 14:21:38.000000000 -0400 @@ -17,7 +17,7 @@ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/main.c b/src/main.c -index f3c471a85..0d7de4f2c 100644 +index f3c471a..0d7de4f 100644 --- a/src/main.c +++ b/src/main.c @@ -1729,6 +1729,10 @@ parse_command_name(mparm_T *parmp) @@ -56,7 +56,7 @@ { /* When no .vimrc file was found: source defaults.vim. */ diff --git a/src/os_unix.h b/src/os_unix.h -index d28aa4dde..3a00e05df 100644 +index d28aa4d..3a00e05 100644 --- a/src/os_unix.h +++ b/src/os_unix.h @@ -213,6 +213,9 @@ typedef struct dsc$descriptor DESC; @@ -70,7 +70,7 @@ # define SYS_VIMRC_FILE "$VIM/vimrc" #endif diff --git a/src/structs.h b/src/structs.h -index 9c0e0468b..988ce660f 100644 +index 9c0e046..988ce66 100644 --- a/src/structs.h +++ b/src/structs.h @@ -3261,6 +3261,9 @@ typedef struct diff -Nru vim-8.0.0197/debian/patches/series vim-8.0.0197/debian/patches/series --- vim-8.0.0197/debian/patches/series 2017-04-23 08:10:29.000000000 -0400 +++ vim-8.0.0197/debian/patches/series 2017-09-30 14:21:38.000000000 -0400 @@ -10,3 +10,6 @@ upstream/patch-8.0.0378-possible-overflow-when-reading-corrupted-u.patch upstream/patch-8.0.0550-cannot-parse-some-etags-format-tags-file.patch upstream/Update-releases-in-deb-changelog-sources-syntax-files.patch +upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch +upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch +upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch diff -Nru vim-8.0.0197/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch vim-8.0.0197/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch --- vim-8.0.0197/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch 2017-04-23 08:10:29.000000000 -0400 +++ vim-8.0.0197/debian/patches/upstream/Add-Zesty-Zapus-to-deb-changelog-sources-syntax-files.patch 2017-09-30 14:21:38.000000000 -0400 @@ -8,7 +8,7 @@ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/runtime/syntax/debchangelog.vim b/runtime/syntax/debchangelog.vim -index a10e4ad34..eb02aaf4a 100644 +index a10e4ad..eb02aaf 100644 --- a/runtime/syntax/debchangelog.vim +++ b/runtime/syntax/debchangelog.vim @@ -3,7 +3,7 @@ @@ -30,7 +30,7 @@ syn match debchangelogCloses contained "closes:\_s*\(bug\)\=#\=\_s\=\d\+\(,\_s*\(bug\)\=#\=\_s\=\d\+\)*" syn match debchangelogLP contained "\clp:\s\+#\d\+\(,\s*#\d\+\)*" diff --git a/runtime/syntax/debsources.vim b/runtime/syntax/debsources.vim -index 277794497..390c43035 100644 +index 2777944..390c430 100644 --- a/runtime/syntax/debsources.vim +++ b/runtime/syntax/debsources.vim @@ -2,7 +2,7 @@ diff -Nru vim-8.0.0197/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch vim-8.0.0197/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch --- vim-8.0.0197/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch 2017-04-23 08:10:29.000000000 -0400 +++ vim-8.0.0197/debian/patches/upstream/debcontrol.vim-Add-sections-for-Rust-and-JavaScript.patch 2017-09-30 14:21:38.000000000 -0400 @@ -8,7 +8,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/runtime/syntax/debcontrol.vim b/runtime/syntax/debcontrol.vim -index b52c496c9..b1bc9f8bf 100644 +index b52c496..b1bc9f8 100644 --- a/runtime/syntax/debcontrol.vim +++ b/runtime/syntax/debcontrol.vim @@ -38,7 +38,7 @@ unlet s:kernels s:archs s:pairs diff -Nru vim-8.0.0197/debian/patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch vim-8.0.0197/debian/patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch --- vim-8.0.0197/debian/patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch 1969-12-31 19:00:00.000000000 -0500 +++ vim-8.0.0197/debian/patches/upstream/patch-8.0.0703-illegal-memory-access-with-empty-doau-comm.patch 2017-09-30 14:21:38.000000000 -0400 @@ -0,0 +1,69 @@ +From: Bram Moolenaar <b...@vim.org> +Date: Sun, 9 Jul 2017 11:07:16 +0200 +Subject: patch 8.0.0703: illegal memory access with empty :doau command + +Problem: Illegal memory access with empty :doau command. +Solution: Check the event for being out of range. (James McCoy) +--- + src/fileio.c | 7 ++++--- + src/testdir/test_autocmd.vim | 4 ++++ + src/version.c | 2 ++ + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/fileio.c b/src/fileio.c +index aeb53b5..d305c82 100644 +--- a/src/fileio.c ++++ b/src/fileio.c +@@ -8790,7 +8790,7 @@ do_doautocmd( + /* + * Loop over the events. + */ +- while (*arg && !vim_iswhite(*arg)) ++ while (*arg && !ends_excmd(*arg) && !vim_iswhite(*arg)) + if (apply_autocmds_group(event_name2nr(arg, &arg), + fname, NULL, TRUE, group, curbuf, NULL)) + nothing_done = FALSE; +@@ -9306,7 +9306,8 @@ apply_autocmds_group( + * Quickly return if there are no autocommands for this event or + * autocommands are blocked. + */ +- if (first_autopat[(int)event] == NULL || autocmd_blocked > 0) ++ if (event == NUM_EVENTS || first_autopat[(int)event] == NULL ++ || autocmd_blocked > 0) + goto BYPASS_AU; + + /* +@@ -9379,7 +9380,7 @@ apply_autocmds_group( + { + if (event == EVENT_COLORSCHEME || event == EVENT_OPTIONSET) + autocmd_fname = NULL; +- else if (fname != NULL && *fname != NUL) ++ else if (fname != NULL && !ends_excmd(*fname)) + autocmd_fname = fname; + else if (buf != NULL) + autocmd_fname = buf->b_ffname; +diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim +index 566a07c..2a783f4 100644 +--- a/src/testdir/test_autocmd.vim ++++ b/src/testdir/test_autocmd.vim +@@ -341,3 +341,7 @@ func Test_BufEnter() + call delete('Xdir', 'd') + au! BufEnter + endfunc ++ ++func Test_empty_doau() ++ doau \| ++endfunc +diff --git a/src/version.c b/src/version.c +index b10438e..6781ef2 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -771,6 +771,8 @@ static char *(features[]) = + static int included_patches[] = + { /* Add new patch number below this line */ + /**/ ++ 703, ++/**/ + 550, + /**/ + 378, diff -Nru vim-8.0.0197/debian/patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch vim-8.0.0197/debian/patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch --- vim-8.0.0197/debian/patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch 1969-12-31 19:00:00.000000000 -0500 +++ vim-8.0.0197/debian/patches/upstream/patch-8.0.0706-crash-when-cancelling-the-cmdline-window-i.patch 2017-09-30 14:21:38.000000000 -0400 @@ -0,0 +1,42 @@ +From: Bram Moolenaar <b...@vim.org> +Date: Tue, 11 Jul 2017 15:11:57 +0200 +Subject: patch 8.0.0706: crash when cancelling the cmdline window in Ex mode + +Problem: Crash when cancelling the cmdline window in Ex mode. (James McCoy) +Solution: Do not set cmdbuff to NULL, make it empty. +--- + src/ex_getln.c | 6 ++++++ + src/version.c | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/src/ex_getln.c b/src/ex_getln.c +index 581c444..f0a4329 100644 +--- a/src/ex_getln.c ++++ b/src/ex_getln.c +@@ -7003,7 +7003,13 @@ ex_window(void) + else + ccline.cmdbuff = vim_strsave(ml_get_curline()); + if (ccline.cmdbuff == NULL) ++ { ++ ccline.cmdbuff = vim_strsave((char_u *)""); ++ ccline.cmdlen = 0; ++ ccline.cmdbufflen = 1; ++ ccline.cmdpos = 0; + cmdwin_result = Ctrl_C; ++ } + else + { + ccline.cmdlen = (int)STRLEN(ccline.cmdbuff); +diff --git a/src/version.c b/src/version.c +index 6781ef2..6986625 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -771,6 +771,8 @@ static char *(features[]) = + static int included_patches[] = + { /* Add new patch number below this line */ + /**/ ++ 706, ++/**/ + 703, + /**/ + 550, diff -Nru vim-8.0.0197/debian/patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch vim-8.0.0197/debian/patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch --- vim-8.0.0197/debian/patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch 1969-12-31 19:00:00.000000000 -0500 +++ vim-8.0.0197/debian/patches/upstream/patch-8.0.0707-freeing-wrong-memory-with-certain-autocomm.patch 2017-09-30 14:21:38.000000000 -0400 @@ -0,0 +1,40 @@ +From: Bram Moolenaar <b...@vim.org> +Date: Tue, 11 Jul 2017 18:28:46 +0200 +Subject: patch 8.0.0707: freeing wrong memory with certain autocommands + +Problem: Freeing wrong memory when manipulating buffers in autocommands. + (James McCoy) +Solution: Also set the w_s pointer if w_buffer was NULL. +--- + src/ex_cmds.c | 4 ++-- + src/version.c | 2 ++ + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/ex_cmds.c b/src/ex_cmds.c +index 00cac92..628d27b 100644 +--- a/src/ex_cmds.c ++++ b/src/ex_cmds.c +@@ -3967,8 +3967,8 @@ do_ecmd( + * <VN> We could instead free the synblock + * and re-attach to buffer, perhaps. + */ +- if (curwin->w_buffer != NULL +- && curwin->w_s == &(curwin->w_buffer->b_s)) ++ if (curwin->w_buffer == NULL ++ || curwin->w_s == &(curwin->w_buffer->b_s)) + curwin->w_s = &(buf->b_s); + #endif + curwin->w_buffer = buf; +diff --git a/src/version.c b/src/version.c +index 6986625..59ef8b2 100644 +--- a/src/version.c ++++ b/src/version.c +@@ -771,6 +771,8 @@ static char *(features[]) = + static int included_patches[] = + { /* Add new patch number below this line */ + /**/ ++ 707, ++/**/ + 706, + /**/ + 703, diff -Nru vim-8.0.0197/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch vim-8.0.0197/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch --- vim-8.0.0197/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch 2017-04-23 08:10:29.000000000 -0400 +++ vim-8.0.0197/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch 2017-09-30 14:21:38.000000000 -0400 @@ -23,7 +23,7 @@ 3 files changed, 19 insertions(+) diff --git a/src/config.h.in b/src/config.h.in -index 38b0ccf53..ab8f20207 100644 +index 38b0ccf..ab8f202 100644 --- a/src/config.h.in +++ b/src/config.h.in @@ -30,6 +30,9 @@ @@ -37,7 +37,7 @@ #undef HAVE_ATTRIBUTE_UNUSED diff --git a/src/configure.ac b/src/configure.ac -index 1706a8d9a..9cf8b9615 100644 +index 1706a8d..9cf8b96 100644 --- a/src/configure.ac +++ b/src/configure.ac @@ -29,6 +29,16 @@ dnl in autoconf needs it, where it uses STDC_HEADERS. @@ -58,7 +58,7 @@ AC_MSG_CHECKING(--enable-fail-if-missing argument) diff --git a/src/version.c b/src/version.c -index 71c04506f..dacb42db0 100644 +index 71c0450..dacb42d 100644 --- a/src/version.c +++ b/src/version.c @@ -44,11 +44,17 @@ make_version(void)